Jump to content

djacobson

Staff
  • Content Count

    1,295
  • Joined

  • Last visited

Posts posted by djacobson


  1. @Eleanor67 The push tool status is inconsequential, it is not live data. It shows what was the last result of you using the push tool. A machine being pushed to in that moment has a set hardcoded timer that it must reply back within or it will get tagged as unregistered, it is not a "smart" enough app to know more than that about a client during install; even if the client successfully registers anytime after the timer. The client view online/offline status has nothing to do with the 'client has not been registered' execution result of the push tool. If you do not wish to see the push tool results say 'client has not been registered', I can write an SQL query to delete them for you.

     

    @JPerez1969 Use all three to restart the service, it is why they are there. It is also likely you are experiencing an entirely different client issue than eleanor, the thing you have in common so far is the push tool results. Clients flipping offline/online in client view when the actual machine is the opposite of what it says can be a myriad of items. The MEEClientService being off when you go check on it has two or three causes.

    Other items that can help:

    • Disable Windows fastboot.
    • Try setting MEEClientService from Automatic to Automatic (delayed start) - this is the "Start Up Type" option in policy or can be done directly in Windows Services.msc.
    • Exclude "C:\Program Files (x86)\Malwarebytes' Managed Client\sccomm.exe" from Windows Firewall, Windows Defender, and any other security or access restricting programs you may have in place.
    • Ensure C:\Program Files (x86)\Malwarebytes' Managed Client\sccomm.exe.config is not blank.
    • Also ensure that C:\ProgramData\sccomm\SCComm.xml is not blank and contains the correct server address.

  2. Logging in as an admin or user in an admin group with modern Windows does not give you administrative permissions directly. If you have not yet tried this, right click the exe and run as admin. The MSI needs to be ran with an msiexec command from an admin elevated CMD. Also make sure the installers are copied locally to the machine being installed, they do not work reliably, if at all, over network drives and shares.


  3. Usually with servers, it's best to use the Windows Admin account as the logon for the push tool rather than your domain admin creds. Temporarily enable it if you have it off, and give it a password. Even when you are the AD admin, often times that is not enough to give the push tool the ability to access the another server.


  4. 3 hours ago, Eleanor67 said:

    Our clients display as "...The client has not been registered". In addition, some of those clients are now not reporting to MMC. But, if you restart the services then it show on MMC

    Hi @Eleanor67, please use your service failure options in Policy -> your policy -> Edit -> General -> Enable Service Recovery Options. Set the options, changing the "None" to "Restart Service", use an initial time of 2 minutes.


  5. Hi @wep, if the endpoint has the installation already, you can right click the system tray icon and start a scan. This will follow whatever is set in the policy, so if you do not have an installation on that machine or are disconnected from the network and need to use a more customizable scan, grab your MBBR (Malwarebytes Breach Remediation) tool. This is a cmd tool for Windows, terminal and gui for Macs. You can find it in your Endpoints -> Add Endpoints -> Dissolvable Unmanaged Remediation Tool. Instructions on how to use and the scan switches available are contained within a PDF guide that is inside the download. Let me know if you need any help.


  6. Apologies for coming across this so late in the week @theyzer! 

    We've had a series of agent updates recently, it's possible some could need a restart to finish it.

    There's also a recent virtual adapter issue that's popped up, this is related to engine version 1.2.0.680, in some cases it is having trouble downloading the plugins, so you may not have the items needed to run scans or the Malwarebytes Service (mbamservice.exe). Malwarebytes Endpoint Agent service (MBCloudEA.exe) and the tray icon (Endpoint Agent Tray.exe) are likely still running.

    We can confirm the version and some of the behavior in logs from the machine, though let's move the conversation about that back to your thread - https://forums.malwarebytes.com/topic/245780-green-icon-for-endpoints-in-console-turns-grey-and-stops-scanning/

     


  7. There are many moving pieces to MBMC, the server, the client comm, and the three separate protection software products, MBAM, MBAE and MBARW:
    MBMC 1.9.0.3671
    Managed Client communicator (must match console) 1.9.0.3671
    Anti-Malware 1.80.2.1012
    Anti Exploit 1.12.2.147
    Anti-Ransomware 0.9.18.806

    You can right click the top row of your MBMC Client View and add the version number to the columns to see them. On the endpoints, Anti-Malware will not be seen, it is installed under the Malwarebytes Managed Client version entry. So is Anti-Exploit, until it next upgrades over the air to a version newer than the console deploys, then it will show a new separate entry


  8. @straffin, yes we do have such tools. You can use the one attached* for interacting with, and triggering the real time, or leave it somewhere for a scanner to find.

    *Linked on Box in new thread.

    Another good resource to test that the scanner is looking in certain areas during scheduled scans, is using Spycar. They make a test detection suite for scanner engines - http://www.testmypcsecurity.com/securitytests/all_tests.html#AllTests*

     *Spycar is dead, RIP. ☠️

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.